Upon deploying a service with Spring Cloud Kubernetes Discovery Client, I get the KubernetesClientException stating that the user "default" is forbidden to access pods.
I have already added a Role and a Rolebinding as specified here
The guide states that a ClusterRole is necessary. But that is not an option for me, as we share the cluster with other departments. I only want the role to affect our project / namespace.
Is ClusterRole required or should Role be sufficient?
To allow a service account access to these one needs to create a role with the necessary permissions and assign it to the account.This is done with a cluster role, or a role, if one only wants it in one namespace, and a role binding, which is specific to a namespace.
It says that you can use either Role or ClusterRole.
Just bear in mind when creating a Role a namespace should be defined. i.e.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: mynamespace
name: service-discovery-client
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services", "pods", "configmaps", "endpoints"]
verbs: ["get", "watch", "list"]